Skip to content

Latest commit

 

History

History
29 lines (27 loc) · 20.3 KB

ds_google_cloud_platform.md

File metadata and controls

29 lines (27 loc) · 20.3 KB

Vendor: Google

Product: Cloud Platform

Rules Models MITRE ATT&CK® TTPs Event Types Parsers
277 124 39 22 22
Use-Case Event Types/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access app-activity
googlecloud-app-activity

cloud-admin-activity
googlecloud-iam-activity
googlecloud-cloudresourcemanager-activity

cloud-admin-activity-failed
googlecloud-iam-activity
googlecloud-cloudresourcemanager-activity

storage-access
googlecloud-storage-activity

storage-activity
googlecloud-storage-activity

storage-activity-failed
googlecloud-storage-activity

web-activity-allowed
googlecloud-web-activity

web-activity-denied
googlecloud-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
  • 36 Rules
  • 19 Models
Account Manipulation app-activity
googlecloud-app-activity

cloud-admin-activity
googlecloud-iam-activity
googlecloud-cloudresourcemanager-activity

cloud-admin-activity-failed
googlecloud-iam-activity
googlecloud-cloudresourcemanager-activity

storage-access
googlecloud-storage-activity

storage-activity
googlecloud-storage-activity

storage-activity-failed
googlecloud-storage-activity
 T1078.004 - Valid Accounts: Cloud Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
  • 13 Rules
  • 6 Models
Cloud Data Protection gcp-disk-attach
gcp-instancesattachdisk-json

gcp-disk-create
gcp-disksinsert-json

gcp-instance-create
gcp-instancesinsert-json

gcp-snapshot-create
gcp-diskscreatesnapshot-json

gcp-storageobject-acl
gcp-objectsupdate-json
 T1530 - Data from Cloud Storage Object
TA0004 - TA0004
TA0009 - TA0009
  • 8 Rules
  • 7 Models
Cryptomining gcp-instance-create
gcp-instancesinsert-json

web-activity-allowed
googlecloud-web-activity

web-activity-denied
googlecloud-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1074 - Data Staged
T1496 - Resource Hijacking
  • 3 Rules
  • 1 Models
Data Access app-activity
googlecloud-app-activity
 T1078 - Valid Accounts
  • 19 Rules
  • 11 Models
Data Exfiltration netflow-connection
gcpvpc-netflow-connection

web-activity-allowed
googlecloud-web-activity

web-activity-denied
googlecloud-web-activity
 T1041 - Exfiltration Over C2 Channel
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 9 Rules
  • 2 Models
Data Leak app-activity
googlecloud-app-activity

web-activity-allowed
googlecloud-web-activity

web-activity-denied
googlecloud-web-activity
 T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1114.003 - Email Collection: Email Forwarding Rule
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • 9 Rules
  • 2 Models
Lateral Movement app-activity
googlecloud-app-activity

netflow-connection
gcpvpc-netflow-connection

web-activity-allowed
googlecloud-web-activity

web-activity-denied
googlecloud-web-activity
 T1018 - Remote System Discovery
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1046 - Network Service Scanning
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1090.003 - Proxy: Multi-hop Proxy
T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
TA0008 - TA0008
TA0010 - TA0010
TA0011 - TA0011
  • 60 Rules
  • 21 Models
Phishing web-activity-allowed
googlecloud-web-activity

web-activity-denied
googlecloud-web-activity
 T1189 - Drive-by Compromise
T1204.001 - T1204.001
T1534 - Internal Spearphishing
T1566.002 - Phishing: Spearphishing Link
T1598.003 - T1598.003
  • 4 Rules
Privileged Activity app-activity
googlecloud-app-activity

web-activity-allowed
googlecloud-web-activity

web-activity-denied
googlecloud-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
  • 4 Rules
  • 1 Models
Ransomware app-activity
googlecloud-app-activity

web-activity-allowed
googlecloud-web-activity

web-activity-denied
googlecloud-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Workforce Protection web-activity-allowed
googlecloud-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
  • 4 Rules
  • 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Valid Accounts: Cloud Accounts

Exploit Public Fasing Application

Phishing

 User Execution

 Boot or Logon Initialization Scripts

Create Account

External Remote Services

Valid Accounts

Account Manipulation

Create Account: Create: Cloud Account

Account Manipulation: Exchange Email Delegate Permissions

 Boot or Logon Initialization Scripts

Valid Accounts

 Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Obfuscated Files or Information

Unused/Unsupported Cloud Regions

 Network Service Scanning

Remote System Discovery

 Exploitation of Remote Services

Remote Services

Remote Services: Remote Desktop Protocol

Internal Spearphishing

 Email Collection

Data from Cloud Storage Object

Data Staged

Email Collection: Email Forwarding Rule

 Web Service

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Resource Hijacking